This topic describes how to use ActionTrail to deliver events to Log Service and monitor the use of your Alibaba Cloud account or configure an alert in Log Service.

Prerequisites

An Alibaba Cloud account is created. If not, create an Alibaba Cloud account first.

Create a trail

  1. Log on to the ActionTrail console.
  2. In the top navigation bar, select the region where you want to create a trail.
    Note The region that you select becomes the home region of the trail to be created.
  3. In the left-side navigation pane, choose ActionTrail > Trails.
  4. Click Create Trail. On the page that appears, enter a name in the Trail Name field.
  5. Set Apply Trail to All Regions to Yes.
  6. Set Event Type to All.
  7. Turn on the Enable Logging switch and set Deliver Events To to SLS Logstore.
  8. Set Create Log Service Project to Yes, select a region from the Log Service Region drop-down list, and then enter a project name in the Log Service Project field.
    Note The Log Service project specified here is used to store event logs delivered by ActionTrail. You can enter the name of an existing project in the selected region or enter a new project name.
  9. Click Confirm.
  10. In the dialog box that appears, click Activate.
    Note To create a trail, you need to authorize ActionTrail to access Log Service and Object Storage Service (OSS). If you have granted the permissions, this dialog box does not appear.
  11. On the page that appears, click Activate Log Service.
    Note After you create the trail, ActionTrail delivers events in all regions to a Logstore in the specified Log Service project.

Configure Log Service

  1. On the Trails page, find the target trail and click Log analysis in the Log Service Links column.
    Note You can also log on to the Log Service console to configure the service.
  2. Enter event.userIdentity.type:"root-account"| select count(1) as use_root in the search bar and click Search & Analyze.sls
  3. Save the search or configure an alert based on the search.
    • Save the search: Click Save Search in the upper-right corner. In the dialog box that appears, set Saved Search Name and click OK.
      Note After you save the search, you can select it in the Log Service console to quickly initiate the search.

      For more information about a saved search, see Save a query statement as a saved search.

    • Configure an alert based on the search: Click Saved as Alert in the upper-right corner. In the Alert Configuration step, set the alert parameters, as shown in the following figure. In the Notifications step, select a notification method.

      For more information about how to configure an alert, see Configure an alert.

      Monitor the use of your Alibaba Cloud account
      Note After you configure the alert, you will receive an alert notification when the alert is triggered. For example, according to the alert configuration shown in the preceding figure, Log Service checks the use of your Alibaba Cloud account at an interval of five minutes. If your Alibaba Cloud account is used, Log Service generates an alert.

Result

You can view and manage the saved search and alerts in the Log Service console.

sls